[Full-disclosure] [scip_Advisory] NetGear RP114 Flooding Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetGear RP114 TCP SYN Flooding Denial of Service scip AG Vulnerability (12/12/2005) I. INTRODUCTION NetGear is a popular manufacturer for network devices. Especially their SOHO and appliance boxes are widely in private use. One of the user products is RP114, a hub device with additional routing, packet and simple content filtering functionality. More Information are available at the official NetGear web site: http://www.netgear.com II. DESCRIPTION Marc Ruef found an old fashioned denial of service flaw in this device. By starting a transit TCP SYN flooding the routing between the internal and the external interface is not possible anymore. An attacker can use this to prevent legitimate users from accessing connected networks (e.g. the WAN/Internet). Other devices by NetGear (e.g. routers and wlan access points) may be also affected. III. EXPLOITATION Running TCP SYN flooding is very simple and can be realized by a large variety of public attack tools. But it is also possible to initialize such an attack my misusing a port scanning utility. Starting a scan with nmap by Fyodor with the following command is able to reproduce the denial of service: nmap -PS80 192.168.0.0/24 It does not matter how many target ports or hosts are defined. It is just important to open approx. more than 740 persistant and half-open connections. It is also required to scan something on the other interface of the device than the attacker is connected to (e.g. scanning an external host by sitting on the internal interface and vice versa). IV. IMPACT After a successfull attack no further routing between the networks is possible anymore. This makes it impossible for legitimate users to connect to the Internet or another network segment. During this time direct connections to the affected device remains possible (e.g. connection to the web interface or ping). Just a reboot of the device can restore the productive status immediately. Or you have to wait approx. 2 minutes for the device to flush all half-open connections and return to full operational status. V. DETECTION The detection of this attack is not possible on the device itself. But further security devices (e.g. dedicated firewalls or intrusion detection systems) are able to detect this kind of classical attack. VI. WORKAROUND Do not plug the RP114 in not-trusted networks where the inter-connection requires a high availability. In this case move to more professional hardware that is able to handle a large amount of persistant connections adequately. VII. VENDOR RESPONSE No response from NetGear came back. Due the fact the affected device RP114 is not listed on the web site anymore and the last firmware is dated back to 2002, no firmware update could be expected. VIII. SOURCES scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl scip monthly Security Summary (german) http://www.scip.ch/publikationen/smss/ computec.ch document data base (german) http://www.computec.ch/download.php?list.7 (Denial of Service) http://www.computec.ch/download.php?list.8 (Firewalling) http://www.computec.ch/download.php?list.11 (Networking) IX. DISCLOSURE TIMELINE 11/23/05 Marc Ruef verifies the for a long time suspected flaw 11/24/05 Inform the vendor by sending an email to pressrelations-at-netgear.com 12/12/05 Public advisory X. CREDITS The vulnerability was discovered and analyzed by Marc Ruef at scip AG, Switzerland. Marc Ruef, scip AG maru-at-scip.ch http://www.scip.ch A1. BIBLIOGRAPHY See VIII. for some useful web ressources. A2. LEGAL NOTICES Copyright (c) 2005 by scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory. -BEGIN PGP SIGNATURE- Version: PGP 8.0 Comment: http://www.scip.ch iQA/AwUBQ508Dhe5hzJzqVMhEQLEagCfWfWq7GDfBBKu64QwoXTnt43aF84AoJwS T4IiiG+jatHKlgo9aguvrwyn =59cT -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [scip_Advisory] NetGear RP114 Flooding Denial ofService
dunno, but i know this has been an issue since the rt314 product ( 1999-2000? ) a simple nmap -sS target trigers it external, and no supprise internal as well. ( not fun running pentests behind one of these babys ) i dont know if you noticed that existing connections dont appear to be affected ( IM and streaming traffic ) but dns generally gets hosed. my2bits, Donnie Werner http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Phishers now abusing dynamic DNS services
I got another Paypal phishing attempt today (I get about one every week :-) ). The interesting thing about this attempt is that the phisher seems to be using a dynamic DNS service to gain the trust from the victim. In this case the html link was pointing to http://www.paypal.25u.com which doesn't seem to resolve at this moment. www.paypal.25u.com does of course look more legitimate than some random IP address in which the word paypal is not included. -- pagvac (Adrian Pastor) www.ikwt.com - In Knowledge We Trust ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Phishers now abusing dynamic DNS services
pagvac wrote: [Full-disclosure] Phishers now abusing dynamic DNS services ^^^ ||| now -- you don't think this is news do you??? I guess if you only get one (PayPal) phish per week your sampling is so disproportionate that you might have avoided getting one of these before, and thus it seems like a new development... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Phishers now abusing dynamic DNS services
On Mon, 2005-12-12 at 10:22 +, pagvac wrote: I got another Paypal phishing attempt today (I get about one every week :-) ). The interesting thing about this attempt is that the phisher seems to be using a dynamic DNS service to gain the trust from the victim. In this case the html link was pointing to http://www.paypal.25u.com which doesn't seem to resolve at this moment. www.paypal.25u.com does of course look more legitimate than some random IP address in which the word paypal is not included. They are new to phishing and didn't have the carding facilities to get themselves a registered domain that looks similar enough to Paypal. ;-) When this phishing attempt reaps them some required information they will graduate to investing a few pennies in a domain. This isn't terribly interesting or innovative, malware have been using this sort of technique for quite some time. -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue He who hingeth aboot, geteth hee-haw Victor - Still Game blog: http://reboot-robot.net sites: http://www.bsrf.org.uk - http://www.security-forums.com ca:https://www.cacert.org/index.php?id=3 smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Phishers now abusing dynamic DNS services
I don't know how new this is to be honest. I just made a comment to the list because it was the first phishing email I received that uses dynamic DNS and thought it was interesting. On 12/12/05, Barrie Dempster [EMAIL PROTECTED] wrote: On Mon, 2005-12-12 at 10:22 +, pagvac wrote: I got another Paypal phishing attempt today (I get about one every week :-) ). The interesting thing about this attempt is that the phisher seems to be using a dynamic DNS service to gain the trust from the victim. In this case the html link was pointing to http://www.paypal.25u.com which doesn't seem to resolve at this moment. www.paypal.25u.com does of course look more legitimate than some random IP address in which the word paypal is not included. They are new to phishing and didn't have the carding facilities to get themselves a registered domain that looks similar enough to Paypal. ;-) When this phishing attempt reaps them some required information they will graduate to investing a few pennies in a domain. This isn't terribly interesting or innovative, malware have been using this sort of technique for quite some time. -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue He who hingeth aboot, geteth hee-haw Victor - Still Game blog: http://reboot-robot.net sites: http://www.bsrf.org.uk - http://www.security-forums.com ca:https://www.cacert.org/index.php?id=3 -- pagvac (Adrian Pastor) www.ikwt.com - In Knowledge We Trust ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 919-1] New curl packages fix potential security problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 919-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 12th, 2005 http://www.debian.org/security/faq - -- Package: curl Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2005-4077 CVE-2005-3185 BugTraq ID : 15756 15102 15647 Debian Bug : 342339 342696 Several problems were discovered in libcurl, a multi-protocol file transfer library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2005-3185 A vulnerability has been discovered a buffer overflow in libcurl that could allow the execution of arbitrary code. CVE-2005-4077 Stefan Esser discovered several off-by-one errors that allows local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs. For the old stable distribution (woody) these problems have been fixed in version 7.9.5-1woody1. For the stable distribution (sarge) these problems have been fixed in version 7.13.2-2sarge4. This update also includes a bugfix against data corruption. For the unstable distribution (sid) these problems have been fixed in version 7.15.1-1. We recommend that you upgrade your libcurl packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1.dsc Size/MD5 checksum: 603 c7980d3b9589f2ef20390a70e0b4de74 http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1.diff.gz Size/MD5 checksum:16631 e35ec4ff7161fa158c04c8cbf716d159 http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5.orig.tar.gz Size/MD5 checksum: 682397 a4df6bb5aa8962c204e73c8f98077928 Alpha architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_alpha.deb Size/MD5 checksum: 118498 584184fdc57b0b302b1c16b293222492 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_alpha.deb Size/MD5 checksum: 195922 6a58bcdea99e866fdfbad573b3d6ef8d http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_alpha.deb Size/MD5 checksum: 116574 799b6ccd5c223cd8580c8e4fc610fef8 ARM architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_arm.deb Size/MD5 checksum: 114452 028489639e478d66a6223c7a2175cac9 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_arm.deb Size/MD5 checksum: 172978 ad531498826aaa48ec0e2eb5c2df7207 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_arm.deb Size/MD5 checksum: 101852 c7df9a970ef2f5a1ac11f6aae2c539be Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_i386.deb Size/MD5 checksum: 112954 55c016b60375a465dd139b25a9860e3b http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_i386.deb Size/MD5 checksum: 163696 c88d95d412ef529c8eebc9d21a5d6006 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_i386.deb Size/MD5 checksum: 100482 ca2e1ea6b250814e75101a9936bf Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_ia64.deb Size/MD5 checksum: 122062 7476d36d7530caab9aa08c8c24bc7b17 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_ia64.deb Size/MD5 checksum: 210310 5ef9167039cdf11ba26f5380265e9f0e http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_ia64.deb Size/MD5 checksum: 139432 6c924348404f96a9d534485d231da013 HP Precision architecture: http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_hppa.deb Size/MD5 checksum: 116424 a94545e972184368284431251dc81bc0 http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_hppa.deb Size/MD5 checksum: 186366 a9ef087b21652930a452f9aa61e17040 http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_hppa.deb Size/MD5 checksum: 112976
Re: [Full-disclosure] Phishers now abusing dynamic DNS services
* pagvac: The interesting thing about this attempt is that the phisher seems to be using a dynamic DNS service to gain the trust from the victim. to gain trust? Hm? This is not really a new thing: 2005-04-19 08:24:49 ebayfraud.dyndns.org A 220.110.65.252 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Snort as IDS/IPS in mission-critical enterprisenetwork
Dear all, Thanks for valuable input. It was very much appreciated. I kind of get the impression that Snort is very stable product but it needs a lot of effort configuring, monitoring and customizing. We will definitely give it a try. I assume I did not mention, we will be using Windows binary. Is this as stable as Linux version? Some of you mentioned that many commercial productions are based on Snort. Can anyone name another product besides those from Sourcefire? One of the products that you might want to look at is from CounterSnipe, www.countersnipe.com They do SNORT based IDS/IPS devices at reasonable pricing. Thanks again, Native.Code On 12/10/05, Technica Forensis [EMAIL PROTECTED] wrote: what ever happened to FPGA/hardware based NIDS classifiers? There seemed to be a number of papers and even some open source (open cores) code to do 10GigE with ease. still in the research labs? http://www.cloudshield.com and have your pocketbook ready, 'cause it ain't cheap. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _ Are you using the latest version of MSN Messenger? Download MSN Messenger 7.5 today! http://messenger.msn.co.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-227-1] xpdf vulnerabilities
=== Ubuntu Security Notice USN-227-1 December 12, 2005 xpdf/cupsys/tetex-bin/kdegraphics/koffice vulnerabilities CVE-2005-3191, CVE-2005-3192, CVE-2005-3193 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: cupsys cupsys-bsd cupsys-client kpdf kword libpoppler0c2 tetex-bin xpdf-reader xpdf-utils The problem can be corrected by upgrading the affected package to the following versions: Ubuntu 4.10: xpdf: 3.00-8ubuntu1.9 cupsys:1.1.20final+cvs20040330-4ubuntu16.9 tetex-bin: 2.0.2-21ubuntu0.7 Ubuntu 5.04: xpdf: 3.00-11ubuntu3.5 tetex-bin: 2.0.2-25ubuntu0.3 kword: 1:1.3.5-2ubuntu1.2 kpdf: 4:3.4.0-0ubuntu3.2 Ubuntu 5.10: libpoppler0c2: 0.4.2-0ubuntu6.4 tetex-bin: 2.0.2-30ubuntu3.3 kword: 1:1.4.1-0ubuntu7.1 kpdf: 4:3.4.3-0ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: infamous41md discovered several integer overflows in the XPDF code, which is present in xpdf, the Poppler library, tetex-bin, KOffice, and kpdf. By tricking an user into opening a specially crafted PDF file, an attacker could exploit this to execute arbitrary code with the privileges of the application that processes the document. The CUPS printing system also uses XPDF code to convert PDF files to PostScript. By attempting to print such a crafted PDF file, a remote attacker could execute arbitrary code with the privileges of the printer server (user 'cupsys'). Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330-4ubuntu16.9.diff.gz Size/MD5: 1354803 79cfe1fa5dae941bbc7f8088e971075e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330-4ubuntu16.9.dsc Size/MD5: 867 117933cbf2802c955d3a1506500d9cd6 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330.orig.tar.gz Size/MD5: 5645146 5eb5983a71b26e4af841c26703fc2f79 http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_2.0.2-21ubuntu0.7.diff.gz Size/MD5: 113361 b712d9459abfc9605a3586758ac29005 http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_2.0.2-21ubuntu0.7.dsc Size/MD5: 1062 0e8db1c5cf32886db51feb143681bfad http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_2.0.2.orig.tar.gz Size/MD5: 11677169 8f02d5940bf02072ce5fe05429c90e63 http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf_3.00-8ubuntu1.9.diff.gz Size/MD5:49770 b763f31b209b1b607fe33b03a9b9b0f1 http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf_3.00-8ubuntu1.9.dsc Size/MD5: 788 2da7a6699b7f7aa09f9b9a57a1b33953 http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf_3.00.orig.tar.gz Size/MD5: 534697 95294cef3031dd68e65f331e8750b2c2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf-common_3.00-8ubuntu1.9_all.deb Size/MD5:56702 9cc57970a1c1af14b6381481dab064fa http://security.ubuntu.com/ubuntu/pool/main/x/xpdf/xpdf_3.00-8ubuntu1.9_all.deb Size/MD5: 1274 3a54b82f2cb0dd3476d4db50bf2fbb09 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.1.20final+cvs20040330-4ubuntu16.9_amd64.deb Size/MD5:59258 e500fc8efc117324245de618d443e3e1 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.1.20final+cvs20040330-4ubuntu16.9_amd64.deb Size/MD5: 107524 c29e059b874a6d5880375f4f4c3c3d6e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330-4ubuntu16.9_amd64.deb Size/MD5: 3615184 f5758133013d9e839d6f89246a7318e7 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.1.20final+cvs20040330-4ubuntu16.9_amd64.deb Size/MD5:62870 536d6b0d3cd73face92870667504dcf6 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.1.20final+cvs20040330-4ubuntu16.9_amd64.deb Size/MD5:53532 29105d719e2914a82e327f0d8e2eadf5 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.1.20final+cvs20040330-4ubuntu16.9_amd64.deb Size/MD5: 102006 4e4fc2dc55b192a9d236f059c3c7234b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-gnutls10_1.1.20final+cvs20040330-4ubuntu16.9_amd64.deb Size/MD5:75068 a022daf8eb0d3b75d47b79a40cec0a78 http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea-dev_2.0.2-21ubuntu0.7_amd64.deb Size/MD5:72758 ff23b91476594cf458f1054baee50b56
[Full-disclosure] [USN-222-2] Perl vulnerability
=== Ubuntu Security Notice USN-222-2 December 12, 2005 perl vulnerability CVE-2005-3962 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: libperl5.8 perl-base The problem can be corrected by upgrading the affected package to version 5.8.4-2ubuntu0.6 (for Ubuntu 4.10), 5.8.4-6ubuntu1.2 (for Ubuntu 5.04), or 5.8.7-5ubuntu1.2 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-222-1 fixed a vulnerability in the Perl interpreter. It was discovered that the version of USN-222-1 was not sufficient to handle all possible cases of malformed input that could lead to arbitrary code execution, so another update is necessary. Original advisory: Jack Louis of Dyad Security discovered that Perl did not sufficiently check the explicit length argument in format strings. Specially crafted format strings with overly large length arguments led to a crash of the Perl interpreter or even to execution of arbitrary attacker-defined code with the privileges of the user running the Perl program. However, this attack was only possible in insecure Perl programs which use variables with user-defined values in string interpolations without checking their validity. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.6.diff.gz Size/MD5:65287 5b3e19646e2091eb9294220d0f7db14f http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.6.dsc Size/MD5: 727 f56ec1862af2a154066ea04d950ae74c http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4.orig.tar.gz Size/MD5: 12094233 912050a9cb6b0f415b76ba56052fb4cf Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/p/perl/libcgi-fast-perl_5.8.4-2ubuntu0.6_all.deb Size/MD5:37120 34c8f6b057066ed0b5e07ac1a4b783b6 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-doc_5.8.4-2ubuntu0.6_all.deb Size/MD5: 7049588 2e0dedeaf0d5ebb7f5db7b0fc7885993 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-modules_5.8.4-2ubuntu0.6_all.deb Size/MD5: 2181262 d51dcf8f5d749b48a95111e334e19e40 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.6_amd64.deb Size/MD5: 605672 c5af1be0954268bd9dec4b350a5f6e60 http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.6_amd64.deb Size/MD5: 1032 fda7bcbdfdc9edce6299dafa80cf8af9 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.6_amd64.deb Size/MD5: 787486 379267d6352e32ea9c19705632aa31ff http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.6_amd64.deb Size/MD5: 3820376 216a2a3838f56e5d130efb6bc81216ec http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.6_amd64.deb Size/MD5:32970 12370fa42f20842b0f1e2700d8becef6 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.6_amd64.deb Size/MD5: 3834442 7716de916cd192cb0994880f7edc7c32 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.6_i386.deb Size/MD5: 547084 1adfa9c3510df872ca4002d90e6ebf0f http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.6_i386.deb Size/MD5: 494308 2744b8ac7f93c771240b12fb4d02b36e http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.6_i386.deb Size/MD5: 727906 7f2faf7b54a7e0398c807a46f0c17817 http://security.ubuntu.com/ubuntu/pool/universe/p/perl/perl-debug_5.8.4-2ubuntu0.6_i386.deb Size/MD5: 3631738 82ad474e7516dec454da629a93128848 http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-suid_5.8.4-2ubuntu0.6_i386.deb Size/MD5:30930 eed03dfcc0265086b8e009ab614041ba http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.8.4-2ubuntu0.6_i386.deb Size/MD5: 3229914 6be57f704821ee42e2da1580da7b68f5 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl-dev_5.8.4-2ubuntu0.6_powerpc.deb Size/MD5: 561444 65381c155d8b7a4c2b3ae8d0ee8f4343 http://security.ubuntu.com/ubuntu/pool/main/p/perl/libperl5.8_5.8.4-2ubuntu0.6_powerpc.deb Size/MD5: 1040 731ffc922ffd0879497c1b5ff1628b6a http://security.ubuntu.com/ubuntu/pool/main/p/perl/perl-base_5.8.4-2ubuntu0.6_powerpc.deb Size/MD5: 718886 0dd2fb65fd29067c751d523a4800363c
Re: [Full-disclosure] Phishers now abusing dynamic DNS services
On 12/12/05, Florian Weimer [EMAIL PROTECTED] wrote: * pagvac: The interesting thing about this attempt is that the phisher seems to be using a dynamic DNS service to gain the trust from the victim. to gain trust? Hm? Yes. What I mean is that the average user will trust more an URL when seeing the word paypal in it as a domain name, rather than some dodgy-looking numerical IP address, with a sub-directory called paypal. e.g.: http://1.2.3.4/vulnerable_app/paypal versus http://www.paypal.25u.com Personall I would think that more users would trust the second link. This is not really a new thing: 2005-04-19 08:24:49 ebayfraud.dyndns.org A 220.110.65.252 -- pagvac (Adrian Pastor) www.ikwt.com - In Knowledge We Trust ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Famous n3td3v quotes - The Director's Cut (out now on DVD)
On 12/11/05, n3td3v [EMAIL PROTECTED] wrote: This list is for people to disclose security information, not for random people to disrespect others who do disclose vulnerabilities. It THAT IS ALL YOU DO!!! You post some XSS vuln somewhere then criticize everyone else on the list while touting how awesome and l337 you are. If all you did was post vulnerabilities do you think people would start threads dedicated to your stupidity? was a personal attack, because you're trying to make fun of serious comments i've made. You've taken all of the quotes out of context, so they make little sense to anyone. The problem is you are a tool. You find a bug in Yahoo or Google then diss the other 7 billion people who haven't or haven't bothered. You then presume they are not as skilled as you then put them down in the most childish ways while crticizing them for doing the same in return. You then continue to start threads, spread misinformation about people and then tell them they're stupid. Suggestion: Turn off your computer and go back to watching Seasame Street on your PSP. -sb On 12/11/05, Steve Russell [EMAIL PROTECTED] wrote: It was not a personal attack - it was humour, the difference being you obviously cannot tell them apart. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: McAfee VirusScan vs Metasploit Framework v2.x
The sad thing is AV vendor don't have a proper boundary on their products work-scope. Though, giving a clean chit to products like Claria/Gator is a big shame... I still strongly support the move of AV vendors to classify product like nmap, netcat, metasploit as POTENTIAL THREATS; though it's childish to treat those product equv. as hack-tools. What AV vendor currently lack is a proper and CLEAR way to let the users choose the level of security they want. All AV vendors still lack even basics as, proper basic common standards that are followed by all AV products. BUT guys common… so you want to share the stupid flames of users over your security product with the AV vendors as they have classified it as a BAD-TOOL. Will that make you feel better? It's more of your headache responsibility to let the users know before download that your security product might be classified by AV as potential threats as, YOU KNOW they may be used for either good or bad purpose. I don't suppose Fyodor will take any responsibility for the action of a malicious user if nmap is used for some malicious purpose??? How AV software would know whether software's like netcat, metasploit or nmap found in a machine is put there by a legitimate user or by a malicious person willing to some further evil deeds. So as a proactive measure they rate the software's as a threat. DEFAULT DENY. Makes sense to me… ( but I agree AV vendors lack proper classification ) hey... User always has the option to ask their AV to ignore the particular file/directory if they own the privilege in the machine anyways. So what's the point in discussing such stuffs??? oOo ya... a proper and CLEAR classification from the vendors side so that the user can easily choose the level of protection he/she wants. But that needs some design changes not just on the AV signatures. Let's hope we'll see those on some upcoming version. Would you yank out Canvas, and Core Impact products as well? oh, wait... there probably isn't a sig for those so you wouldn't know. Is that just I or everyone is hearing the whispering words; Partiality… shortsightedness… best regards, -Bipin Gautam ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re[2]: [Full-disclosure] Phishers now abusing dynamic DNS services
yeah this is definitly nothing new -Original Message- From: pagvac [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Date: Mon, 12 Dec 2005 15:43:36 + Subject: Re: [Full-disclosure] Phishers now abusing dynamic DNS services On 12/12/05, Florian Weimer [EMAIL PROTECTED] wrote: * pagvac: The interesting thing about this attempt is that the phisher seems to be using a dynamic DNS service to gain the trust from the victim. to gain trust? Hm? Yes. What I mean is that the average user will trust more an URL when seeing the word paypal in it as a domain name, rather than some dodgy-looking numerical IP address, with a sub-directory called paypal. e.g.: http://1.2.3.4/vulnerable_app/paypal versus http://www.paypal.25u.com Personall I would think that more users would trust the second link. This is not really a new thing: 2005-04-19 08:24:49 ebayfraud.dyndns.org A 220.110.65.252 -- pagvac (Adrian Pastor) www.ikwt.com - In Knowledge We Trust ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDEFENSE Security Advisory 12.12.05: SCO Unixware Setuid 'uidadmin' Scheme Buffer Overflow Vulnerability
SCO Unixware Setuid 'uidadmin' Scheme Buffer Overflow Vulnerability iDefense Security Advisory 12.12.05 www.iDefense.com/application/poi/display?id=350type=vulnerabilities December 12, 2005 I. BACKGROUND SCO Unixware is a Unix operating system that runs on many OEM platforms. II. DESCRIPTION Local exploitation of a buffer overflow vulnerability in the uidadmin binary included in multiple versions of The SCO Group Inc.'s Unixware allows attackers to gain root privileges. The vulnerability specifically exists because of a failure to check the length of user specified file input. If the user prepares a file longer than 1,600 bytes and supplies the path to that file using the -S option of uidadmin, a stack based buffer overflow occurs. This leads to the execution of arbitrary code with root privileges, as uidadmin is setuid root by default. III. ANALYSIS Successful exploitation of this vulnerability requires that a user have local access to the system. This would allow the user to gain super user privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in SCO Unixware versions 7.1.3 and 7.1.4. All previous versions of SCO Unixware are suspected to be vulnerable. V. WORKAROUND Remove the setuid bit from the ppp binary: chmod u-s /unixware/usr/bin/uidadmin VI. VENDOR RESPONSE The vendor has released the following update to address this vulnerability: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.54 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3903 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/12/2005 Initial vendor notification 10/13/2005 Initial vendor response 12/12/2005 Coordinated public disclosure IX. CREDIT iDefense Labs is credited with the discovery of this vulnerability. Get paid for vulnerability research http://www.iDefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.iDefense.com X. LEGAL NOTICES Copyright © 2005 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] (no subject)
Firstly, the user ID isn't used anywhere, although its captured. The KPID is used to determine the unique algorithm used for time-delay, and the static control algorithm used to create the dynamic encryption for the unit's auth sequence, (the two hashes created using date/time sequence and dynamic algorithm based off of control algorithm). I might not have explained that very well - sorry. One consideration would be the large amount of different algorithms to keep track of, and whether a dynamically generated algorithm can be trusted to have invariably similar characteristics, (ie strength, any collisions). Second, this is still subject to a mitm attack. Well, I know that the MITM attack would still be possible with the authenticated session, as thehost is compromised, but I thought the question was how to keep the authentication itself private, as using a compromised system means everything is available anyway. Perhaps a kind of keep-alive using the time-delay could help prevent excessively easy interception of the session... Thirdly, any message or session data is not protected as coming from the same site to/from user, compromised workstation or keypad. Indeed, a compromised machine may simply 'route' an attacker's data to appear to originate from the machine that commenced the session. Now, the session could definitely be stolen, but again, I thought we were assuming any session was going to be compromised already. Maybe I missed the point.If we have to protect more then the authentication scheme, from what little I know,there would have to be NO involvement with the compromised machine, or users who can decrypt things themselves..hehehe - decoder ring to check your email... :) Even hardware interrupts could be intercepted and analysed, I believe though I'm not positive, if you, say,decided to setup a method of direct communication between the USB peripheral and the user-interfaces, (which would be cool, anyway). Well, that was my thought. I'm no engineer, so it was more of a stab in the dark, but thanks for your reply :) I think the time-delay thing and the control algorithm dynamically generating unique algorithms during encryption could really be expanded on. I haven't seen much along those lines, personally. Perhaps its because of the overhead. -- ___Play 100s of games for FREE! http://games.mail.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-228-1] curl library vulnerability
=== Ubuntu Security Notice USN-228-1 December 12, 2005 curl vulnerability CVE-2005-4077 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: libcurl2 libcurl3 The problem can be corrected by upgrading the affected package to version 7.12.0.is.7.11.2-1ubuntu0.3 (for Ubuntu 4.10), 7.12.3-2ubuntu3.5 (libcurl3 for Ubuntu 5.04), 1:7.11.2-12ubuntu3.3 (libcurl2 for Ubuntu 5.04), or 7.14.0-2ubuntu1.2 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Stefan Esser discovered several buffer overflows in the handling of URLs. By attempting to load an URL with a specially crafted invalid hostname, a local attacker could exploit this to execute arbitrary code with the privileges of the application that uses the cURL library. It is not possible to trick cURL into loading a malicious URL with an HTTP redirect, so this vulnerability was usually not exploitable remotely. However, it could be exploited locally to e. g. circumvent PHP security restrictions. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3.diff.gz Size/MD5: 160919 5cf0f9c8ba68210e8e4c2758e60b2580 http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3.dsc Size/MD5: 707 ba339f748a4aa0df95fad727d17351a6 http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2.orig.tar.gz Size/MD5: 1435629 25e6617ea7dec34d072426942b77801f amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb Size/MD5: 108786 b2c4b1a909e7df51f1b473bad16eb5da http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb Size/MD5: 1043928 85dd2975faa3caf60fe4af59227e73ea http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb Size/MD5: 568360 7da61685491a4bf50cb4b93a2ec908c7 http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb Size/MD5: 112112 c643fd29e22a8b36bab08dcb26ff419c http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.3_amd64.deb Size/MD5: 224822 5e3afe9b190593442354151c4175ac07 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb Size/MD5: 107950 6bdaa7ac9bc28865bf2f8ea98c033638 http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb Size/MD5: 1029246 5bf95fcb5356c46a48647e90c106893a http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb Size/MD5: 556842 9a83e697723e0498b189b661856a5f44 http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb Size/MD5: 110126 ffd39f845dcd54c1725dd5b530f69880 http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.3_i386.deb Size/MD5: 223078 641bab72067de0f032fefcfe374a21b9 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb Size/MD5: 110280 f01bb0abf8a7ee14df4f5ce45c7edcb3 http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dbg_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb Size/MD5: 1053056 d14dafe8fa84b5c189a1b9434fab4166 http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2-dev_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb Size/MD5: 573702 d4e343709827dc77b6e3caf8c3383145 http://security.ubuntu.com/ubuntu/pool/universe/c/curl/libcurl2-gssapi_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb Size/MD5: 116522 add20579ac6b24154674095b8e8152ff http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl2_7.12.0.is.7.11.2-1ubuntu0.3_powerpc.deb Size/MD5: 229658 ca56d9ba1a7445ac4638a79efe985cd6 Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.5.diff.gz Size/MD5: 1262740 00b378df6454659925ffb8317de89a33 http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3-2ubuntu3.5.dsc Size/MD5: 832 19e220d065283b4c118a9a7576dcab13 http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.12.3.orig.tar.gz Size/MD5: 2135477 653d1227c58ca870f95c488db62033f8 amd64 architecture (Athlon64, Opteron, EM64T Xeon)
Re: [Full-disclosure] Phishers now abusing dynamic DNS services
pagvac writes: What I mean is that the average user will trust more an URL when seeing the word paypal in it as a domain name, rather than some dodgy-looking numerical IP address, with a sub-directory called paypal. Most users won't even see or notice where the link goes, that's why it works. What you do need the hostname for is, to bypass the alarms on webmail services like Yahoo!, which will display a scary pop-up if you click on a link that's got a numeric IP address for the hostname. It won't alarm on most other types of names. At least, I was able to make up a name and point something in my domain at an arbitrary IP and Yahoo! stopped showing the warning. They may have a blacklist, which would catch phish sites once people know about the hostname. Of course, without HTML mail, they wouldn't be able to show one thing and mean another And eBay doesn't help the whole situation: if you read the HTML version of eBay favorite search mail, the links take you to some site other than eBay. (Actually, a doubleclick.net address--which is not resolvable on my network.) Fortunately, the plain-text version has right-to-ebay.com links. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: McAfee VirusScan vs Metasploit Framework v2.x
BUT guys common… so you want to share the stupid flames of users overyour security product with the AV vendors as they have classified it as a BAD-TOOL. Will that make you feel better?It's more of yourheadache responsibility to let the users know before download thatyour security product might be classified by AV as potential threats as, YOU KNOW they may be used for either good or bad purpose. I don'tsuppose Fyodor will take any responsibility for the action of amalicious user if nmap is used for some malicious purpose??? How AVsoftware would know whether software's like netcat, metasploit or nmap found in a machine is put there by a legitimate user or by a maliciousperson willing to some further evil deeds. So as a proactive measurethey rate the software's as a threat. DEFAULT DENY. Makes sense to me… ( but I agree AV vendors lack proper classification ) hey... Useralways has the option to ask their AV to ignore the particularfile/directory if they own the privilege in the machine anyways. The issue isn't that it is a default deny approach; it is the case that when a user requests additional information from the tool that would delete the software, they receive a very skewed perspective. Anyone who uses McAffee want to download the load of FoundStone tools and determine if any of those (including SuperScan!) qualify as 'hacking tools'? http://www.foundstone.com/resources/freetools.htm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Inside AV engines?
For penetration testing on Wintel system, I often use netcat.exe and stuff like pwdump. More and more I need to disable anti-virus services before running the tools to avoid alarms and auto-deletion of the applications. It works but it isn't an ideal situation since theoretically a network can be infected while the AV-services are down. Recompiling tools is an option since the source of many tools I use is available. The question is (before I burn useless CPU cycles): can someone help me getting info about the inside of AV engines? Will addition of some rubbish to the code do the trick (- other checksum), do I need to change some core code or is it a mission impossible anyway? Who can help for example getting some useful research papers on the subject of detecting viruses and how to bypass mechanisms used? Any help will be appreciated. Greets, Jeroen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Inside AV engines?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I would like to have much time to explain you clearly how to but sorry I will do quick cos I disconnect soon: what do you need to do on the infected file is to split it in different part with the same size, then you sort out the infected part and the one not. you re-split those files again but in smaller size, you sort out again the infected one and the one not , etc , you will find out quickly the detected signature with a byte precision. tip: a tool outta there does it really well , its name UKSpliter, its place, google :) nb: this method is useless when the av detects a MD5 checksum as pestpatrol, you change any byte and this is no more detected then... This is the ultimate way to trick all antivirus , in the old days , had made the famous rootkit hackerdefender undetected by all of them, to note sophos and kav harder to trick because they detects signatures , wich modded, will probably break your proggie.. cheers to undergroundkonnekt guys :) Jeroen wrote: For penetration testing on Wintel system, I often use netcat.exe and stuff like pwdump. More and more I need to disable anti-virus services before running the tools to avoid alarms and auto-deletion of the applications. It works but it isn't an ideal situation since theoretically a network can be infected while the AV-services are down. Recompiling tools is an option since the source of many tools I use is available. The question is (before I burn useless CPU cycles): can someone help me getting info about the inside of AV engines? Will addition of some rubbish to the code do the trick (- other checksum), do I need to change some core code or is it a mission impossible anyway? Who can help for example getting some useful research papers on the subject of detecting viruses and how to bypass mechanisms used? Any help will be appreciated. Greets, Jeroen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ54E86+LRXunxpxfAQLAww//Zush1/OE+akYbRfK8DS5l+QVSmQxcAMu +itH0H5uNAR83/EWmzVxSK75j6qKqs7EiqL8TcDhXfEU6hwBN+IXz827kaa/ZOhX N5yE17fSxTWuWI7G7MkHmiZv9gdk2M0ior+uf8HCXGZ4s+giDJNffsoBBSKtE6x+ 7kreEuDS2g6jiyx7Qv0phoX/GrlTClrCEzcApOO10sq6ItD0HQGFG3c+2OuIQkQz WS4A7TIwj6/XUiPs7uy32chUaoFNdf0sgMAP2Vbj1LClOk2pWfwHG33JrCHb0cg+ so6oYxHZpkN1Lsnr5mDgDZ55589VHihvl94Y8EDTt03J6E7OQ2qJX5uwdKB/8iVs 086Ak+1uXYf8PKD6SnAdurOfP9eQpUD7zIs8bXDE74vmjJt5oc++W5RMf+a40+Cj RukAi2OME39bi3jLaNg/r5g6D0sKQ9uhx45S3h5ziyPGswK6iFQoTfnyb3gRyhs9 5f7CWKjaEihI4qn1R+WkYq7wpsPjnufCtjOZfvuFhi2bFiwnPkbkrTckle4+QGXF dVrv8ki5sYxC3qgPcKGOjgKXeQ2vLA6vrxpRo/lMJp3RqGv4nEpQXCza2jx8scrs 2IkjJskzmC8sBaSCJ6xgMeQjAjqI8lVClIbPmAQYOaX8owLZ9IZsqiPE/g+sFDu+ h1d0xyOwpH4= =xowQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Inside AV engines?
These days, a very popular approach is to pack malicious codes by different packers to create a large number of pseudo versions. Tests performed by Eric Johansen from IBM Virus CERT were presented at the Virus Bulletin 2005 conference. He had packed the generally known Nimda.a by different packers and tested what was the possibility of fooling different anti-viruses. Symantec with its on-demand scanner identified only 33%, McAfee 67%, Trend Micro 57%. http://files.malwareblog.com/EJohansen_VB2005_Presentation.pdf http://files.malwareblog.com/EJohansen_VB2005.pdf Best regards, Valdis - Original Message - From: Jeroen [EMAIL PROTECTED] To: pen-test@securityfocus.com; full-disclosure@lists.grok.org.uk Sent: Tuesday, December 13, 2005 12:56 AM Subject: [Full-disclosure] Inside AV engines? For penetration testing on Wintel system, I often use netcat.exe and stuff like pwdump. More and more I need to disable anti-virus services before running the tools to avoid alarms and auto-deletion of the applications. It works but it isn't an ideal situation since theoretically a network can be infected while the AV-services are down. Recompiling tools is an option since the source of many tools I use is available. The question is (before I burn useless CPU cycles): can someone help me getting info about the inside of AV engines? Will addition of some rubbish to the code do the trick (- other checksum), do I need to change some core code or is it a mission impossible anyway? Who can help for example getting some useful research papers on the subject of detecting viruses and how to bypass mechanisms used? Any help will be appreciated. Greets, Jeroen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: 0-day for sale on ebay - New auction!
It looks like the same person opened another auction: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=6588680836 -- Please do not reply to this address ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MDKSA-2005:226 - Updated mozilla-thunderbird package fix vulnerability in enigmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2005:226 http://www.mandriva.com/security/ ___ Package : mozilla-thunderbird Date: December 12, 2005 Affected: 2006.0, Corporate 3.0 ___ Problem Description: A bug in enigmail, the GPG support extension for Mozilla MailNews and Mozilla Thunderbird was discovered that could lead to the encryption of an email with the wrong public key. This could potentially disclose confidential data to unintended recipients. The updated packages have been patched to prevent this problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3256 ___ Updated Packages: Mandriva Linux 2006.0: a76040e992150836998fc822a99b7624 2006.0/RPMS/mozilla-thunderbird-1.0.6-7.2.20060mdk.i586.rpm 591b78809b7425ece0f63f96b65d2d2b 2006.0/RPMS/mozilla-thunderbird-enigmail-1.0.6-7.2.20060mdk.i586.rpm 72f81a292f80666ac90f6b4d6da8a694 2006.0/RPMS/mozilla-thunderbird-enigmime-1.0.6-7.2.20060mdk.i586.rpm 5b45958f898c7a0da52227b1b7791eb8 2006.0/SRPMS/mozilla-thunderbird-1.0.6-7.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 7732c8c52831cdc49dcad7f27bf02ff7 x86_64/2006.0/RPMS/mozilla-thunderbird-1.0.6-7.2.20060mdk.x86_64.rpm 63d0f9a9e474b6cf8259ee0e3e867c54 x86_64/2006.0/RPMS/mozilla-thunderbird-enigmail-1.0.6-7.2.20060mdk.x86_64.rpm 3440b4677c7938a8d948d1f20b97ec33 x86_64/2006.0/RPMS/mozilla-thunderbird-enigmime-1.0.6-7.2.20060mdk.x86_64.rpm 5b45958f898c7a0da52227b1b7791eb8 x86_64/2006.0/SRPMS/mozilla-thunderbird-1.0.6-7.2.20060mdk.src.rpm Corporate 3.0: fb13fdba83a8fb58fa7be5f879387776 corporate/3.0/RPMS/libnspr4-1.7.8-0.4.C30mdk.i586.rpm d2c026c3005bb117b168fa710b6707eb corporate/3.0/RPMS/libnspr4-devel-1.7.8-0.4.C30mdk.i586.rpm 00fe306b2e32a43b668855ac07a7bc3a corporate/3.0/RPMS/libnss3-1.7.8-0.4.C30mdk.i586.rpm a1f58fd330e354d64098584a21075683 corporate/3.0/RPMS/libnss3-devel-1.7.8-0.4.C30mdk.i586.rpm ed922dcfda867e3e6aae232358e410d9 corporate/3.0/RPMS/mozilla-1.7.8-0.4.C30mdk.i586.rpm 9af2dc6b388b787fa489dd6d50fd85e5 corporate/3.0/RPMS/mozilla-devel-1.7.8-0.4.C30mdk.i586.rpm f8b427e76177e505f4c461c36c58a6f4 corporate/3.0/RPMS/mozilla-dom-inspector-1.7.8-0.4.C30mdk.i586.rpm 35ce2664bb8516b0adeb0bcf23814ffa corporate/3.0/RPMS/mozilla-enigmail-1.7.8-0.4.C30mdk.i586.rpm f794287f76a7aa84f8ab26a5f9e1390d corporate/3.0/RPMS/mozilla-enigmime-1.7.8-0.4.C30mdk.i586.rpm 886465435f0c81de9888a406ecfaf731 corporate/3.0/RPMS/mozilla-irc-1.7.8-0.4.C30mdk.i586.rpm 7852834c9f2b9b95d39abe8751d3849b corporate/3.0/RPMS/mozilla-js-debugger-1.7.8-0.4.C30mdk.i586.rpm 42968285510df5716902b6566c8fc9fc corporate/3.0/RPMS/mozilla-mail-1.7.8-0.4.C30mdk.i586.rpm 72ce466eed134f651d10ea9120d21f53 corporate/3.0/RPMS/mozilla-spellchecker-1.7.8-0.4.C30mdk.i586.rpm 99c49b1370c18c2fa14c9f20b04e148d corporate/3.0/SRPMS/mozilla-1.7.8-0.4.C30mdk.src.rpm Corporate 3.0/X86_64: 6642da49a0bdbec886a932fdab4d41e5 x86_64/corporate/3.0/RPMS/lib64nspr4-1.7.8-0.4.C30mdk.x86_64.rpm 065391d250b7ceb31c01f12386cf3a04 x86_64/corporate/3.0/RPMS/lib64nspr4-devel-1.7.8-0.4.C30mdk.x86_64.rpm 07cf6b5f1d4ce2212b76fc265aace41a x86_64/corporate/3.0/RPMS/lib64nss3-1.7.8-0.4.C30mdk.x86_64.rpm e65788bcc7d582095b30a87431947a8f x86_64/corporate/3.0/RPMS/lib64nss3-devel-1.7.8-0.4.C30mdk.x86_64.rpm a855523066d7b231da9ed889a995ad1a x86_64/corporate/3.0/RPMS/mozilla-1.7.8-0.4.C30mdk.x86_64.rpm 7b894f998bd344841c861387be21c2b3 x86_64/corporate/3.0/RPMS/mozilla-devel-1.7.8-0.4.C30mdk.x86_64.rpm 7b5fc684552363acea77ab8f344d38f5 x86_64/corporate/3.0/RPMS/mozilla-dom-inspector-1.7.8-0.4.C30mdk.x86_64.rpm 4e969e057bcdc0f763e269cbbfcd0fb9 x86_64/corporate/3.0/RPMS/mozilla-enigmail-1.7.8-0.4.C30mdk.x86_64.rpm c84f31cefbbe5a92c1f1e6105a184fe8 x86_64/corporate/3.0/RPMS/mozilla-enigmime-1.7.8-0.4.C30mdk.x86_64.rpm 28791c7db8d3d9802e8198dc599fad87 x86_64/corporate/3.0/RPMS/mozilla-irc-1.7.8-0.4.C30mdk.x86_64.rpm 0308af9d9050d5cdeafd0a9baac05d48 x86_64/corporate/3.0/RPMS/mozilla-js-debugger-1.7.8-0.4.C30mdk.x86_64.rpm a993afbf2ed3e7d17734631b2ccee05c x86_64/corporate/3.0/RPMS/mozilla-mail-1.7.8-0.4.C30mdk.x86_64.rpm 86f109cecac0a9de786f88d9400b0cf5 x86_64/corporate/3.0/RPMS/mozilla-spellchecker-1.7.8-0.4.C30mdk.x86_64.rpm 99c49b1370c18c2fa14c9f20b04e148d x86_64/corporate/3.0/SRPMS/mozilla-1.7.8-0.4.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed
[Full-disclosure] http://www.offensivecomputing.net
Just wanted to let you guys know about a new computer security site at http://www.offensivecomputing.net The purpose of this site is to foster collaborative analysis, cataloging and identification of malware in order to improve defense and awareness. This was something myself and other colleagues have seen the need for a long time but could never find anything similar because most malware collections are either closed lists or corporate non-public collections. This site is free and open to all. The basic idea is to have a community site where you can search for malware based on name or md5sum and get zipped copies. People can upload their own samples of malware and collaborate on analysis in a sort of a blog style. (think community commented disassembles, graphs, ida databases, etc.) I know there are some problems with the concept such as using md5sums but its a start and has proven useful already. I've got some malware collection stuff to help add to the database and I have a small collection built up over the years that I am slowly adding as well. I've started it off with some copies of common stuff like welchia, sobig, the sony drm rootkit, etc. and some minimal analysis. This is NOT another Vx'ers site and the purpose isn't to propagate worms or viruses but rather provide a medium for people to conduct collaborative defense research with full access to the tools and samples. We're interested in any feedback, collaborations, and ideas from the community and have already gotten a ton of response since launching last Friday. have a good one, V. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
